You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Scheidell <mi...@secnap.com> on 2010/12/24 19:39:57 UTC
SA incorrectly tries ipv6 lookups with perl 5.10.1 and force_ipv4
can' t be set in ../local.cf possible fixes?
For SA, IO-SOCKET-INET6 per module is optional unless you want to parse
ipv6 addresses.
For amavisd-new, its suggested that you use it.
HOWEVER, this can and WILL cause problems with SA during lookups, as SA
seems to try to do ipv6 lookups and fails, delaying each lookup by 28
seconds.
(even if you only have ipv4), and 'force_ipv4' in ../local.cf and/or
command line doesn't work.
Thats 28 seconds for each rbl, mx, a, ptr, dkim and spf record lookup.
the test message goes from taking 6 seconds, to taking almost 3 mins.
<http://www.gossamer-threads.com/lists/spamassassin/users/157611>
deinstalling IO-SOCKET-INET6 fixed this.
this seems to be a problem with perl 5.10.1, mainly, mostly?
IO-SOCKET-INET6 is current version 2.65, NET-DNS 0.66
This can also cause problems with amavisd-new and clamav, and/or any
socket combination of 'x.x.x.x:xxxx'
<http://www.mail-archive.com/amavis-user@lists.sourceforge.net/msg14855.html>
using amavisd-new test-sample/sample-spam.txt.
ran twice, to fill the dns cache.
time spamassassin -D < sample-spam.txt
6.104u 0.133s 0:06.46 96.4% 5+34452k 0+0io 71pf+0w
installed IO-Socket-INET6:
Dec 24 12:35:42.967 [99229] dbg: util: final PATH set to:
/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin
-------->Dec 24 12:36:23.027 [99229] dbg: dns: no ipv6
Dec 24 12:36:23.027 [99229] dbg: dns: is Net::DNS::Resolver available? yes
Dec 24 12:36:23.027 [99229] dbg: dns: Net::DNS version: 0.66
total time with IO-Socket-INET6 installed:
6.070u 0.165s 2:46.46 3.7% 5+34427k 12+0io 3pf+0w
easier test, if you don't have amavisd-new, spamassassin --lint.!
with IO-Socket-INET6 installed: 46 seconds.
time spamassassin --lint
5.996u 0.097s 0:46.11 13.1% 5+35583k 0+0io 0pf+0w
without: less than 6 seconds:
5.871u 0.157s 0:06.03 99.8% 5+35554k 1+0io 0pf+0w
time spamassassin --lint --ipv4only
also, less then 6 seconds.
5.970u 0.143s 0:06.16 99.1% 5+35271k 0+0io 6pf+0w
in DnsResolver.pm I see: also see complaints, problems, issues with
Net::DNS::Resolver (google), I think this is a known problem.
./DnsResolver.pm: # force only ipv4 if no IO::Socket::INET6 or ipv6
doesn't work
./DnsResolver.pm: # to be safe test both ipv6 and ipv4 addresses in INET6
./DnsResolver.pm: my $force_ipv4 = (!HAS_SOCKET_INET6) ||
$self->{main}->{force_ipv4} ||
./DnsResolver.pm: $self->{res} = Net::DNS::Resolver->new(force_v4 =>
$force_ipv4);
./DnsResolver.pm: $self->{force_ipv4} = $force_ipv4;
./DnsResolver.pm: dbg("dns: no ipv6") if $force_ipv4;
./DnsResolver.pm: my $ipv6opt = !($self->{force_ipv4});
I tried setting 'force_ipv4' in ../local.cf and at command line to no avail.
Dec 24 13:10:20.292 [99734] warn: config: failed to parse line,
skipping, in "/usr/local/etc/mail/spamassassin/local.cf": force_ipv4 1
Dec 24 13:10:20.297 [99734] warn: config: failed to parse line,
skipping, in "/root/.spamassassin/user_prefs": force_ipv4 1
works on cli:
this HACK, fixes it, actually, its just a workaround.
diff -bBru /tmp/ DnsResolver.pm
--- /tmp/DnsResolver.pm 2010-12-24 13:07:51.000000000 -0500
+++ DnsResolver.pm 2010-12-24 13:08:07.000000000 -0500
@@ -82,6 +82,7 @@
sub load_resolver {
my ($self) = @_;
+ $self->{main}->{force_ipv4} = 1;
if (defined $self->{res}) { return 1; }
$self->{no_resolver} = 1;
# force only ipv4 if no IO::Socket::INET6 or ipv6 doesn't work
or, for amavisd-new, why do you need SOCKET-INET6 on a non ipv4 system?
and, on SA, why doesn't it set force_ipv4 the first time ipv6 lookup
fails? STILL, they would increase the lookup time by at least 28 seconds.?
I tried this patch, and lint was fine with 'force_ipv4 yes' local.cf,
but it didn't do the same thing as cli option:
diff -bBru /tmp/ Conf.pm
--- /tmp/Conf.pm 2010-03-16 10:49:21.000000000 -0400
+++ Conf.pm 2010-12-24 13:35:38.000000000 -0500
@@ -1355,6 +1355,33 @@
}
});
+=item force_ipv4 { yes | test[: name1 name2...] | no } (default: no)
+
+By default SpamAssassin will attempt ipv4 connections if Socket-INET6
installed.
+This can cause problems on some systems with Socket_INET6 installed
that do not have
+ipv6 code in the kernel or network stack. There is a command line
option, but this
+is not used in code like amavisd-new
+
+=cut
+
+ push (@cmds, {
+ setting => 'force_ipv4',
+ default => 0,
+ type => $CONF_TYPE_STRING,
+ code => sub {
+ my ($self, $key, $value, $line) = @_;
+ if ($value =~ /^(?:yes|1)$/) {
+ $self->{force_ipv4} = 'yes';
+ }
+ elsif ($value =~ /^(?:no|0)$/) {
+ $self->{force_ipv4} = 0;
+ }
+ else {
+ return $INVALID_VALUE;
+ }
+ }
+ });
+
=back
=head2 LEARNING OPTIONS
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________